The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because its core functionality involves reading and adopting behavioral instructions from external markdown files.
Ingestion points: The load-profile operation in SKILL.md and SKILL.spec.yaml reads markdown content from the profiles/ directory based on user-supplied input.
Boundary markers: There are no delimiters or 'ignore' instructions defined to prevent the agent from obeying malicious commands that might be embedded within a loaded profile.
Capability inventory: The skill relies on fs.read to ingest instructions that define the agent's identity, heuristics, and quality bars across all profiles (e.g., profiles/balanced.md, profiles/creative.md). Some profiles explicitly lower safety bars, such as profiles/creative.md which instructs the agent to 'Favor experimentation over safety'.
Sanitization: The skill does not specify any sanitization or validation of the profile content before the agent adopts the behavioral guidelines.
Additionally, the profile_name input in the load-profile operation lacks explicit sanitization against path traversal (e.g., ../), which could lead to unauthorized file access if the underlying agent implementation does not enforce strict directory sandboxing.

skill-system-soul